Jump to content

Recommended Posts

Antipova Anna
Posted

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

This article is about Kaspersky Endpoint Security for Windows (KES for Windows)

aescrypt.zip and TestProgExp.zip can be found here.

Remote encryption test

This test requires two participating workstations: an Attacker PC and a Victim PC. Behavior Detection component has to be configured on a Victim PC to detect malware activity, protect shared folders and block connections on detection of external encryption. 

Step-by-step guide

  • On a Victim PC create folder with regular office-like files: *.DOC, *.DOCX, *.XLX, *.JPG
  • Share folder on the Victim PC, ensure that the account logged on to the Attacker PC has full access to the shared folder. Map the shared folder as a network drive on the Attacker PC.
  • Add/unpack the aescrypt.zip archive to the Attacker PC.
  • Add contents to the list.txt file, based on the files in a mapped folder. Since the folder is mapped, paths will look like local ones, eg. Z:\Book1.xlsx. Use the contents of file example-list.txt as an example:

image.thumb.png.221fd94637277b7b0048fc4dacd8a345.png

  • On an Attacker PC, launch test.bat file to start encrypting files from list.txt .
  • Behavior Detection in KES on the Victim PC will detect the attempt and will try to perform a rollback.  Full access to a share on Victim PC for an Attacker PC will be blocked (if specified in KES policy).     
File restoring event is logged on a protected workstation
Access to a folder is blocked from an attacker's point of view

image.thumb.png.b88bda8ddb389eb54cbfe583f563667b.png

image.png.64238335b90c5525496f8179ea18855b.png

Local encryption test

Step-by-step guide

  • Prepare a folder with files to get encrypted, perform tests on files *.DOC, *.DOCX, *.XLX, *.JPG.      
  • Add/unpack to this folder the attached TestProgExp.zip utility.                                                                                                                                                                                               

image.png.b0b33c642cdd1c06c3f5a0a5d7ea1f39.png

  • Launch TestProgExp utility to start the encryption.
  • Files will be encrypted in a folder with test utility

image.png.67e00898ddf95150db5eabf0c7e112d2.png

Allow some time for Behavior Detection in KES to detect the attempt and perform the rollback, as well as get rid of the suspicious software:

Files get restored
 

         

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...